This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: OpenClaw < 2026.3.22 has a **Privilege Escalation** flaw. π **Consequences**: Attackers can hijack the initial setup process to gain **unauthorized high-level access**, bypassing intended security roles.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: **CWE-648** (Incorrect Use of Privilege Privileges). The flaw lies in the **pairing code** logic during bootstrap setup, which fails to bind strictly to the expected device role and scope.
Q3Who is affected? (Versions/Components)
π¦ **Affected**: **OpenClaw** (Open Source AI Assistant). Specifically, all versions **prior to 2026.3.22**. If you are running an older build, you are vulnerable.
Q4What can hackers do? (Privileges/Data)
π **Attacker Capabilities**: Can escalate privileges **beyond the expected role**.β¦
β‘ **Exploitation Threshold**: **LOW**. CVSS Vector: `AV:N/AC:L/PR:N/UI:N`. No authentication, no user interaction, and network-accessible. Itβs a **critical** ease-of-exploit scenario.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Public Exploit**: **No**. The `pocs` field is empty. While the vulnerability is known, there are currently **no public PoCs** or wild exploits available in the wild.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Check your **OpenClaw version number**. If it is **< 2026.3.22**, you are at risk. Look for the **pairing/bootstrap setup** phase in your logs for anomalies.
Q8Is it fixed officially? (Patch/Mitigation)
β **Official Fix**: **Yes**. Patched in version **2026.3.22**.β¦
π§ **No Patch Workaround**: If you cannot update immediately, **restrict network access** to the pairing interface. Ensure **strict isolation** during the initial device setup to prevent unauthorized pairing attempts.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: **CRITICAL**. With `PR:N` (No Privileges Required) and `UI:N` (No User Interaction), this is a **high-priority** fix. Update to **2026.3.22+** immediately to prevent privilege escalation.